Since the Russian invasion of Ukraine, there has been a significant increase in hacktivist activity, some of which is possibly state-sanctioned and happening in a highly permissive environment. This blog will investigate how hacktivism has changed since the conflict began, and how the unique nature of the ongoing cyberwar being fought between hacktivist elements on both sides may change the landscape of hacktivism and its role in future conflicts.
The origins of hacktivism can be traced back to the early days of computers and the internet and the movement has developed in tandem with the global adoption of technology. Coined originally as a portmanteau of hacking and activism, loosely defined, hacktivism is the misuse of computers or the internet to perform cyber-attacks to make a political, social, or religious statement or expose a believed injustice.
The inception of hacktivist collectives such as Anonymous and LulzSec have evolved over the years in line with the ever changing and increasingly sophisticated technological landscape. While website defacements and denial of service attacks by groups of hackers continue, hacktivism and hacktivist groups have gained an increasingly influential effect on geopolitical events.
In recent times, lines between hacktivism and other malicious cyber activity have increasingly blurred; both criminal threat actors and state sponsored groups have looked to benefit from hacktivist operations and its members.
Several indications of state sponsored cyber-attacks conducted under the guise of hacktivism have been identified with governments looking to leverage underground hacktivist elements who share a common cause. The ever-increasing volume of criminal cyber-attacks and the resulting emergence of extortion groups has also attracted members of hacktivist factions who are tempted by significant financial incentives.
In the years leading up to the Russian invasion of Ukraine, the world has seen a general decline in traditional hacktivism.
As notable cases of significant law enforcement action against hacktivists were publicised, hacktivism operations shifted away from large scale participation with members increasingly going underground.
This was compounded by both the increase in enterprise network defence and intelligence sharing capabilities within the cyber security industry. Traditionally hacktivist attacks focussed on disruption and defacement of websites and web services, using denial of service attacks and exploitation of vulnerable internet facing web applications. While these TTP’s have generally stayed the same for years, network defence and tooling to detect and respond to attacks has improved significantly. The increased threat of more sophisticated attacks such as ransomware has prompted organisations to improve network defence, resulting in a decrease in effectiveness of traditional hacktivist operations.
Between November 2021 and February 2022, in conjunction with the positioning of Russian forces at the Ukrainian border, a significant increase in cyber activity was identified targeting Ukraine. The activity was predominately attributed to Russian nation state threat actors by Ukrainian and allied nations’ intelligence services.
On 24 February 2022, following months of increasing tensions and military build ups along the Ukrainian border, Russia invaded Ukraine. The move followed a widely condemned announcement by Russian President Vladimir Putin that Moscow now recognised the separatist regions of Donetsk and Luhansk as independent states.
The ensuing conflict not only continues at the time of writing but has sparked worldwide horror at Russian offensive actions in Ukraine which has in turn triggered a digital conflict between pro-Ukrainian and pro-Russian hacktivist groups.
The implementation of, ‘digital warfare’ through the fusion of cyber-attacks and information operations is now a significant feature in any modern-day conflict and advanced Nation’s arsenal. Both in the lead up to and during the war in Ukraine, cyber attacks and information operations tactics have been a consistent and destructive feature used by both sides.
In addition to this, the war in Ukraine has seen an increasingly permissive environment for hacktivist activity coupled with significant coordination by hacktivist elements on both sides, unique to any conflict seen in the past. Throughout the conflict both the Ukrainian and Russian governments have actively encouraged offensive cyber operations against the other which has resulted in a tsunami of hacktivist activity. Due to unprecedented cases of endorsement from their respective governments’ hacktivists are conducting coordinated offensive operations against major targets with no fear of law enforcement reprisal.
At the time of writing, estimates suggest over 70 hacktivist elements are involved in the cyber war that is raging alongside the conflict. The following section focuses on the main groups coordinating, conducting, and recruiting for; such attacks from either side of the conflict.
In the wake of the Russian invasion and the resulting cyber-attacks that targeted the Ukrainian government and its infrastructure with state-sponsored DDoS and destructive malware, Ukraine’s Vice Prime Minister Mykhailo Fedorov announced the creation of ‘an IT army’. Fedorov’s announcement on 26 February 2022, encouraged IT specialist both in Ukraine and internationally to conduct retaliatory cyber-attacks against a series of Russian businesses, banks; and state institutions. This declaration was followed by the emergence of a Telegram group called ‘The IT Army of Ukraine’. The group has since been active in the coordination and encouragement of offensive cyber operations against Russian targets.
At the time of writing the members of the group’s Telegram channel exceed 296,000 and they have been directing attacks against Russian targets throughout the conflict in what they have called ‘World Cyber War 1’.
Anonymous are a hacktivist collective who have been involved in multiple cyber-attacks since their emergence in 2003, the group have consistently launched attacks over the years in campaigns linked to a variety of social and geopolitical issues.
On 24 February 2022, a Twitter account linked to the hacktivist collective Anonymous announced ‘The Anonymous collective is officially in cyber war against the Russian government’. The declaration which coincided with the day of the Russian invasion has been followed by a sustained campaign of cyber-attacks against pro-Russian targets by the group. Notable activity by Anonymous since the conflict began includes the hacking and subsequent data leak of the Central Bank of Russia and the publishing of a list of Russian soldiers deployed in Bucha, a day after potential war crimes by Russian forces were picked up by the world media.
Against the West (ATW) are a hacktivist group that first appeared on Raid Forums on 28 October 2021. ATW describe themselves as 'like-minded individuals who have a grudge against authoritarian and corrupt governments and countries' and have been involved the targeting and breaches of several Chinese, Russian, North Korean, and Iranian targets since their inception.
In late February 2022, following a short hiatus ATW announced via their since suspended Twitter account that they would be joining the cyber war against Russia: ‘We’re back in action. Standing against Russia. Active until Russia stands down’. This has followed a period of significantly increased operational tempo by the group which has resulted in several high-profile cyber-attacks and subsequent data breaches. Since the conflict began ATW have conducted several significant operations including the breach of Russia's biggest lender Sberbank and attacks against multiple Russian government institutions.
Recently ATW have shown a level of sophistication in attacks which highlights the increased capability of certain hacktivist elements. On 09 April 2022, the group announced via their Twitter account that they were in possession of an experimental zero-day exploit for Nginx 1.18. The exploit originated from 'BrazenEagle' which ATW claim is a sister organisation, outlining the increased capability of the group to conduct sophisticated attacks.
GhostSec are a hacktivist group that emerged following the 2015 terrorist attack at the offices of the Parisian satirical newspaper Charlie Hebdo. A subgroup of Anonymous, Ghostsec were part of the Anonymous operation against ISIS. The group reportedly consists of members of Anonymous, ex US military personnel and IT professionals, and gained notoriety through targeted cyber operations against ISIS and its members.
GhostSec joined the cyberwar against Russia on 25 February 2022 by taking down Russia’s mil[.]ru domain. The group accompanied the announcement with the following message ‘GhostSec in support of the people in Ukraine keep fighting Russia cannot win!’. Since this statement GhostSec have maintained a significantly increased operational tempo conducting multiple cyber-attacks in coordination with other pro-Ukrainian hacktivist elements. Notable incidents by the group include attacks assessed Belarusian state-sponsored group GhostWriter (UNC1151) and the hack of Russian printers to print an anti-Kremlin statement across Russia including on government and military networks.
Network Battalion 65 (NB65) are a new hacktivist group that first emerged on Twitter on 26 February 2022 declaring ‘Russia has made a fatal mistake. We are coming’. The next day NB65 released the following statement associating themselves to the Anonymous hacktivist collective: ‘Anonymous is not alone. NB65 has officially declared cyber war on Russia as well. You want to invade Ukraine? Good. Face resistance from the entire world’.
Much like the other pro-Ukrainian hacktivist groups who have joined the conflict, NB65 has waged a consistent campaign of cyber-attacks throughout the conflict with several significant attacks against pro-Russian targets. Notable attacks by NB65 so far include a cyber-attack against the Russian Space Agency and a significant data breach of Russian state media agency VGTRK.
On 11 April 2022, NB65 announced they were conducting ransomware attacks using a modified version of the leaked Conti version 3 ransomware. The sample which has been verified in VirusTotal shows an increased level of sophistication to NB65 attacks and an intent to conduct further destructive attacks against Russian targets. The accompanying ransom note by NB65 references ‘war crimes’ committed by the Russian state, with the group stating that 'Ransomware payments (if any are made) will be donated to #Ukraine'.
The Belarusian Cyber-Partisans are a hacktivist collective who emerged in September 2020. The group has been operational since its emergence, conducting several cyber-attacks in a campaign against Belarusian President Alexander Lukashenko and his government. The group are a figurehead for civilian participation in the Belarusian resistance movement, combining cyber-attacks, anti-censorship operations and the exposure and leakage of the brutality of the Minsk regime.
Unlike other hacktivist elements listed on the pro-Ukrainian side, the Belarusian Cyber-Partisans started their offensive operations before the Russian invasion. On 24 January 2022, the group claimed responsibility for a destructive attack against the Belarusian railway network in opposition to its use in assisting with the movement of Russian ground forces in Belarus. The group have continued attacks against the railway network throughout the conflict.
On 26 February 2022, a Telegram group was created named ‘CYBER ARMY OF RUSSIA – CYBER WAR’. The group’s creation was followed by a series of messages in response to Anonymous’s declaration of cyber war against Russia. In one of the first posts by the Cyber Army of Russia, the group claim to be a collection of ‘like-minded hackers from the fraternal Slavic people’.
It is likely the group was formed following the emergence and collaboration of pro-Ukraine hacktivist groups. The name of the group also shows similarities to the IT Army of Ukraine which was formed on the same day. Just like its Ukrainian counterpart, the Cyber Army of Russia has been active throughout the conflict, directing and coordinating attacks against Ukrainian and Western targets. The group has also been consistent in sharing the success of other pro-Russian hacktivist elements such as KILLNET and XakNet.
KILLNET are a pro-Russian hacker group who emerged on 23 January 2022. The group started as DDoS-as-a-service group, allowing users to rent a botnet to conduct attacks and target websites. Following the invasion of Ukraine, KILLNET shifted their modus operandi to focus on hacktivist activity in support of Russia.
On 25 February 2022, the group created a post on their Telegram titled 'ANONYMOUS, YOUR TIME IS UP!' in an apparent response to several pro-Ukrainian hacktivist elements, including Anonymous, announcing cyber operations against Russia following the invasion.
On 28 February 2022, the group created a post in an apparent call to arms addressing hackers in the 'Russian Federation and the CIS countries'. The group then shared a link to the Telegram group of Cyber Army of Russia encouraging KILLNET followers to subscribe to the channel to see KILLNET attacks. This and the announcement of a partnership with XakNet indicates that the group and several pro-Russian hacktivist elements have joined forces to conduct coordinated cyber warfare operations against Ukraine and its allies. Since then, KILLNET have been highly active conducting multiple cyber-attacks against pro-Ukrainian targets including an attack against a US airport and several Ukrainian government entities.
XakNet are a pro-Russian hacktivist group who emerged on 01 March 2022. Naming themselves a group of Russian patriots, XakNet distanced themselves from ‘illegal activity’ in the following statement released on the day the group was founded: ‘We are opposed to any illegal activity. However, in conditions where an information war is launched against our citizens, we see no other way out but to do what we do’. Despite a softer approach to the ongoing cyberwar than other pro-Russian groups, XakNet also outlined their intent to conduct retaliatory attacks ‘For every hack/ddos in our country, similar incidents will occur in Ukraine’.
As with the hacktivist elements on both sides of the conflict, XakNet have maintained a high operational tempo since their inception conducting multiple attacks and dumping sensitive data. Interestingly, in a move that signifies the state sponsored element of the ongoing cyberwar, XakNet were recently featured on Russian state television in what appears to be a video glorifying the group’s activities. Notable attacks by XakNet include the leakage of data from the Ukrainian Ministry of Foreign Affairs and numerous cyber-attacks against Ukrainian banks.
The Conti ransomware gang are a highly sophisticated and notorious threat actor, known for a campaign of ransomware attacks globally, with over 1,000 reported victims. Despite several setbacks which include the highly publicised leak of the ‘Conti Playbook’, the group maintain a significant operational tempo, announcing new victims on an almost daily basis.
Traditionally, the operators behind Conti ransomware have been motivated by the considerable financial incentives gained from its ransomware operations. However, on 25 February 2022 the Conti ransomware gang posted a statement to their leak site supporting the Russian government's action in Ukraine. The group threatened to target the critical infrastructure of any country that was involved in cyber-attacks against Russia.
Following the declaration of war by Conti, their leak site was subject to cyber-attacks likely by pro-Ukrainian hacktivist elements and have since appeared to have reverted to ransomware attacks against corporate entities. This is likely due to the outrage around the Conti declaration of war which resulted in damaging retaliatory actions including the leakage of internal chat logs by a researcher who had reportedly embedded within the group through the Twitter account ‘ContiLeaks’. The same account also posted a link to a file on VirusTotal, claiming to be the source code for Conti version 3 ransomware in what is likely further retaliatory action against Conti.
The Red Bandits are a pro-Russian hacker group that was reportedly engaged in cybercrime operations under a different name before turning to hacktivism when the conflict in Ukraine began. The group announced their involvement in the cyberwar on 22 February 2022.
After hacking into a series of Ukrainian police dashcams, the group released the following message: ‘If Ukraine does not do what #Russia wants we will escalate our attacks against Ukraine to involve panic scares. We will also consider distributing ransomware’.
In an interview, a member of the Red Bandits said they do not support the war or Putin; however, they were forced to engage in the cyber war for patriotic beliefs. This statement was supported in a Tweet via their now suspended Twitter account: ‘we support our country even if it is wrong’. The group has since been active despite several statements against the war in Ukraine.
Despite a plethora of hacktivist activity in previous conflicts, the 2022 war in Ukraine has not only changed the face of digital warfare but defined a new era for hacktivism and its effect in real world conflicts. The clear success of hacktivism throughout this period will almost certainly be used as a blueprint in future conflicts. Groups from both sides of the Ukrainian conflict continue to influence the ongoing situation in Ukraine, further advancing the importance of hacktivist activity in this war.
The ability for future hacktivist elements to anonymise cyber operations through tools which mask the identity of hackers alongside coordination through increasingly sophisticated and encrypted communications, allows for ease of entry into hacktivist groups which wasn’t possible in the past. The advancement of open-source hacking tools and their ease of use to would-be hackers has also played a key role in this conflict. Cases of automated DDoS are a prime example of this, allowing individuals to play a role in defending or attacking in cyberspace.
It is highly likely that the ongoing collaboration and coordination between groups will be a key feature in cyber landscape in future conflicts, and will likely change the way governments conduct operations in future conflicts.
As discussed throughout this blog, the war in Ukraine has galvanised hacktivist elements who are now in some cases over a month into an intense digital conflict. While this operational tempo is appropriate for a conflict setting, the question remains: what will these groups do as and when the conflict draws down? To understand the future for hacktivism and the groups currently involved in the raging cyberwar, several future changes need to be considered.
Will governments and their respective law enforcement entities continue to turn a blind eye to the operations of hacktivists after a potential peace agreement is made? If so, what will the hacktivist groups that will have spent months working around the clock to conduct attacks do next?
Ukraine’s championing of hacktivist activity during the invasion may result in confusion over its legality in the long term; hacktivists may feel that their activity is sanctioned, even after the conflict ends. Based on previous law enforcement activity against hacktivists, it is likely that following the end of the conflict, pre-war stances against the current free reign for hacktivists may return, potentially culminating in arrests and the seizure of domains and infrastructure used by the groups. It is also plausible that instead of indictments and law enforcement action, several nation states may look to recruit certain hacktivist elements into their own state-sponsored offensive cyber groups.
With these scenarios considered, the question remains as to what happens to the hackers who have gained significant experience throughout the conflict conducting often complex cyber-attacks? As governments may look to recruit individuals it is highly likely criminal threat actors will look to do the same. Ransomware groups who have consistently looked to recruit ‘affiliates’ to their operations will almost certainly attract capable individuals with the promise of financial gain and notoriety, something which many hacktivists have always craved. It is also likely that a large proportion of hacktivist elements involved in current activity have ties to criminal cyber activity already and are therefore likely to return to their ‘day jobs’ as the conflict winds down.
While it is likely many less experienced hacktivists may be drawn away from hacktivist activity, it is almost certain a portion of hackers involved will remain passionate and active in traditional hacktivist activity. Despite any potential peace agreement, several groups will continue to conduct operations globally in line with the ethos of activism and hacking which defines a true hacktivist.
